The version of VNC server running on the remote host is affected by the following vulnerabilities :
A flaw exists in RealVNC due to an error when handling password authentication. A remote attacker can exploit this to bypass authentication by using a specially crafted request in which the client specifies an insecure security type (e.g., ‘Type 1 - None’), which is accepted even if not offered by the server.
(CVE-2006-2369)
A flaw exists in LibVNCServer within file auth.c due to an error when handling password authentication. A remote attacker can exploit this to bypass authentication by using a specially crafted request in which the client specifies an insecure security type (e.g., ‘Type 1 - None’), which is accepted even if not offered by the server. (CVE-2006-2450)
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description) {
script_id(21564);
script_version("1.30");
script_cvs_date("Date: 2018/07/25 18:58:04");
script_cve_id("CVE-2006-2369", "CVE-2006-2450");
script_bugtraq_id(17978, 18977);
script_xref(name:"CERT", value:"117929");
script_xref(name:"EDB-ID", value:"1791");
script_name(english:"VNC Security Type Enforcement Failure Remote Authentication Bypass");
script_summary(english:"Tries to bypass authentication using a type of None.");
script_set_attribute(attribute:"synopsis", value:
"The remote VNC server is affected by multiple authentication bypass
vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of VNC server running on the remote host is affected by
the following vulnerabilities :
- A flaw exists in RealVNC due to an error when handling
password authentication. A remote attacker can exploit
this to bypass authentication by using a specially
crafted request in which the client specifies an
insecure security type (e.g., 'Type 1 - None'), which is
accepted even if not offered by the server.
(CVE-2006-2369)
- A flaw exists in LibVNCServer within file auth.c due to
an error when handling password authentication. A remote
attacker can exploit this to bypass authentication by
using a specially crafted request in which the client
specifies an insecure security type (e.g., 'Type 1 -
None'), which is accepted even if not offered by the
server. (CVE-2006-2450)");
# http://www.intelliadmin.com/index.php/2006/05/security-flaw-in-realvnc-411/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ef2b8a64" );
# https://web.archive.org/web/20060623010008/http://www.realvnc.com/products/free/4.1/release-notes.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8a2c16a0");
# https://web.archive.org/web/20060623010103/http://www.realvnc.com/products/personal/4.2/release-notes.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b218067e");
# https://web.archive.org/web/20060623010019/http://www.realvnc.com/products/enterprise/4.2/release-notes.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?519d872d");
script_set_attribute(attribute:"see_also", value:"https://github.com/LibVNC/libvncserver");
script_set_attribute(attribute:"solution", value:
"If using RealVNC, upgrade to RealVNC Free Edition 4.1.2 / Personal
Edition 4.2.3 / Enterprise Edition 4.2.3 or later.
If using LibVNCServer, upgrade to version 0.8.2 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'CANVAS');
script_set_attribute(attribute:"vuln_publication_date", value: "2006/05/15");
script_set_attribute(attribute:"patch_publication_date", value: "2006/06/23");
script_set_attribute(attribute:"plugin_publication_date", value: "2006/05/15");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe",value:"cpe:/a:vnc:realvnc");
script_set_attribute(attribute:"cpe",value:"cpe:/a:libvncserver:libvncserver");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
script_dependencies("vnc.nasl");
script_require_ports("Services/vnc", 5900);
exit(0);
}
include("audit.inc");
include("byte_func.inc");
include("global_settings.inc");
include("misc_func.inc");
protocol = "VNC Service";
port = get_kb_item("Services/vnc");
if (!port) port = 5900;
if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port);
# Establish a connection.
soc = open_sock_tcp(port);
if (!soc) audit(AUDIT_SOCK_FAIL, port);
# nb: The RFB protocol is described at:
# http://www.realvnc.com/docs/rfbproto.pdf
# Get the protocol version supported by the server.
s = recv(socket:soc, length:512, min:12);
if (empty_or_null(s) || strlen(s) < 12)
{
close(soc);
audit(AUDIT_NO_BANNER, port);
}
v = pregmatch(pattern:'^RFB ([0-9]+)\\.([0-9]+)\n', string:s);
if (empty_or_null(v))
{
close(soc);
audit(AUDIT_NO_BANNER, port);
}
ver_major = int(v[1]);
ver_minor = int(v[2]);
# nb: protocol versions before 3.7 don't allow the
# client to select the authentication type.
if (ver_major != 3 || ver_minor < 7)
{
close(soc);
audit(AUDIT_INST_VER_NOT_VULN, protocol);
}
# Reply with same version.
send(socket:soc, data:s);
# Read the security types supported by the server.
types = NULL;
set_byte_order(BYTE_ORDER_BIG_ENDIAN);
s = recv(socket:soc, length:1, min:1);
if (empty_or_null(s))
{
close(soc);
audit(AUDIT_SOCK_FAIL, port);
}
if (strlen(s) == 1)
{
n = ord(s);
if (n > 0)
{
for (i=0; i<n; i++)
{
s = recv(socket:soc, length:1, min:1);
if (empty_or_null(s))
{
close(soc);
audit(AUDIT_SOCK_FAIL, port);
}
if (isnull(types)) types = make_list(ord(s));
else types = make_list(types, ord(s));
}
}
}
if (types)
{
# Make sure authentication is required.
auth_required = 1;
foreach type (types)
# nb: type == 0 => connection failed.
if (type == 0) auth_required = 0;
# nb: type == 1 => None is supported.
else if (type == 1) auth_required = 0;
# If it is...
if (auth_required)
{
# Try to bypass authentication.
send(socket:soc, data:mkbyte(1));
# If the protocol is below 3.8, send a ClientInit and look for a ServerInit.
if (ver_minor < 8)
{
# Set Shared-Flag to true.
send(socket:soc, data:mkbyte(1));
s = recv(socket:soc, length:128);
# There's a problem if it looks like a ServerInit
if (! empty_or_null(s)
&& strlen(s) >= 24
&& getdword(blob:s, pos:0x14) + 24 == strlen(s)
)
{
security_hole(port);
}
else
{
close(soc);
audit(AUDIT_INST_VER_NOT_VULN, protocol);
}
}
# If the protocol is 3.8, check the SecurityResult message.
else
{
s = recv(socket:soc, min:3, length:8);
# There's a problem if it's an OK response of four null bytes.
if (! empty_or_null(s) && s == mkdword(0))
{
security_hole(port);
}
else
{
close(soc);
audit(AUDIT_INST_VER_NOT_VULN, protocol);
}
}
}
else
{
close(soc);
audit(AUDIT_INST_VER_NOT_VULN, protocol);
}
}
else
{
close(soc);
audit(AUDIT_INST_VER_NOT_VULN, protocol);
}
close(soc);
Vendor | Product | Version | CPE |
---|---|---|---|
vnc | realvnc | cpe:/a:vnc:realvnc | |
libvncserver | libvncserver | cpe:/a:libvncserver:libvncserver |